Identification and authentication system and method for a secure data exchange
Abstract
An identification and authentication system for secure data exchange over a communications network with a controlled name space, the system having a digital credential generation authority, a credential revocation service, multiple computers, each having: an engine for communicating over the communications network; and at least one application communicating with the engine; at least one domain controller having: an engine for communicating over the communications network; an address resolution service to store network addresses of applications; a key distribution service for distributing keys to engines within the communications network; and a time synchronization module for synchronizing time on engines wherein each of the computers receives a credential for one domain controller authorizing each of the computers to communicate in the system, and each computer further communicates with one domain controller to obtain keys for secure data exchange between applications on the system and the location of applications within the communications network.
Claims
exact text as granted — not AI-modified1 . An identification and authentication system for secure data exchange over a communications network with a controlled name space, said system comprising:
a) a digital credential generation authority for creating and distributing credentials, said credentials having an expiration time; b) a credential revocation service for distributing a list of revoked credentials; c) a plurality of computers, each of said plurality of computers having:
i. an engine for communicating over said communications network;
ii. at least one application communicating with said engine; and
iii. said list received from said credential revocation service;
d) at least one domain controller, each of said at least one domain controller having:
i. an engine for communicating over said communications network;
ii. an address resolution service to store a network address of said at least one application;
iii. a key distribution service for distributing keys to engines within said communications network; and
iv. a time synchronization module for synchronizing time on engines,
wherein each of said plurality of computers receives a non-revoked credential for one of said at least one domain controller from said digital credential generation authority authorizing each of said plurality of computers to communicate in said system, and each of said computers further communicates with one of said at least one domain controller to obtain keys for secure data exchange between applications on said system and the location of applications within said communications network.
2 . The system of claim 1 , wherein said at least one application communicates with said engine through an application layer on said plurality of computers.
3 . The system of claim 1 , wherein said credential is a digital credential issued internally.
4 . The system of claim 1 , wherein said credential is only valid if it is not within the list of revoked credentials.
5 . The system of claim 1 , wherein said keys for secure data exchange between applications are symmetric keys.
6 . The system of claim 1 , wherein said key distributed by said key distribution service is distributed to said engines using a split-ticket Kerberos session.
7 . The system of claim 1 , wherein communications between applications uses an addressing scheme distinguishable from an Internet Protocol address.
8 . The system of claim 7 , wherein the addressing scheme includes a unique identifier to identify a receiver on an engine within said plurality of computers.
9 . The system of claim 8 , wherein the unique identifier includes a domain identifier for the domain of the receiver.
10 . The system of claim 9 , wherein the unique identifier includes a computer identifier.
11 . The system of claim 8 , wherein the unique identifier includes a receiver identifier.
12 . The system of claim 9 , wherein the unique identifier further includes an alias name for the receiver.
13 . The system of claim 1 , wherein said system allows all mutual authentication and key exchanges to be performed internally.
14 . The system of claim 1 , wherein movement of an application to a new network address is recorded in the address resolution service, thereby simplifying dynamic network management.
15 . A method of providing secure data exchange in a communications network comprising the steps of:
a. connecting a computer having an engine and at least one application to a communications network with a controlled name space; b. sending a request from said engine to a digital credential generation authority to obtain a credential for a domain controller; c. receiving a non-revoked credential at said computer. d. using said credential to perform authentication by said computer of said domain controller; e. registering said at least one application with an address resolution service on said domain controller; f. requesting the address of a second application to which said at least one application wishes to communicate with; g. obtaining a key from a key distribution service on said domain controller to encrypt and thus securely exchange data with said second application; h. securely exchanging data with said second application using said key.
16 . The method of claim 15 wherein the step of securely exchanging data uses a symmetrical encryption key.
17 . The method of claim 15 , wherein the obtaining step uses a split-ticket Kerberos session to distribute said key.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.